Failed Attempts to Logon to Splunk Web

The following Splunk Search Query will return all users who have failed to logon to the Splunk Web console. This query will also include an average (from eventstats).

 

index=_audit action="login attempt" info=failed | timechart count(user) as Failed_Attempts| eventstats avg(Failed_Attempts) as Average
Share This:

Comments

  1. JayhawkATL

    I get zero events over All Time when I search for:

    index=_audit action=”login attempt”

    Logging parameter not set correct???

Leave A Comment?